General
-
Target
21b1d3298f190b1e90d3dc38d14fff7961854ee431ef70d10d3186ac36f3cd96
-
Size
534KB
-
Sample
230206-rxvyyaed37
-
MD5
5d444963cb8edc7745fcc4d6e8d31358
-
SHA1
6f40cbe3a55c80e84f503a5f33557a125aac8a8a
-
SHA256
21b1d3298f190b1e90d3dc38d14fff7961854ee431ef70d10d3186ac36f3cd96
-
SHA512
382d11a72e1c01fba20a5130b2917fa85e51a9a347172a69535adab17d5a8f66fa85f43862c39887907c08e0be809b2867e6f9154f199857a57ab6dc5797c242
-
SSDEEP
12288:DP/ReMHgqTPWORNdHq9D5CTROMDCJ+0cWeh3ih9HdA:zpeWbC9ATKo0cBYTG
Static task
static1
Behavioral task
behavioral1
Sample
21b1d3298f190b1e90d3dc38d14fff7961854ee431ef70d10d3186ac36f3cd96.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
21b1d3298f190b1e90d3dc38d14fff7961854ee431ef70d10d3186ac36f3cd96.exe
Resource
win10v2004-20221111-en
Malware Config
Extracted
asyncrat
0.5.7B
Default
192.3.193.136:2023
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Extracted
agenttesla
https://api.telegram.org/bot5171883538:AAEyFWuNh68SJNNpkDCQbviRgrklZA3K4Qs/
Targets
-
-
Target
21b1d3298f190b1e90d3dc38d14fff7961854ee431ef70d10d3186ac36f3cd96
-
Size
534KB
-
MD5
5d444963cb8edc7745fcc4d6e8d31358
-
SHA1
6f40cbe3a55c80e84f503a5f33557a125aac8a8a
-
SHA256
21b1d3298f190b1e90d3dc38d14fff7961854ee431ef70d10d3186ac36f3cd96
-
SHA512
382d11a72e1c01fba20a5130b2917fa85e51a9a347172a69535adab17d5a8f66fa85f43862c39887907c08e0be809b2867e6f9154f199857a57ab6dc5797c242
-
SSDEEP
12288:DP/ReMHgqTPWORNdHq9D5CTROMDCJ+0cWeh3ih9HdA:zpeWbC9ATKo0cBYTG
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect Neshta payload
-
Modifies system executable filetype association
-
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Async RAT payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-